Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] Checkpoint

From: Abid S. Atilay (abid_at_atilay.com)
Date: Fri May 24 2002 - 22:04:39 CEST

Next message: Peter Mueller: "RE: [Users] Network <-> Network VPN Problems: Help Please"
Previous message: dapunk: "RE: [Users] Network <-> Network VPN Problems: Help Please"
Next in thread: D. Hugh Redelmeier: "Re: [Users] Checkpoint"
Reply: D. Hugh Redelmeier: "Re: [Users] Checkpoint"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

We have a serious problem, we searched the web, mailing lists and archieves
but couldn't find a solution. We would be very much appreciated if you have
some time to look at this.
We have established a VPN between Checkpoint and FreeS/WAN. Everything seems
to be OK except connection is cancelled after an hour. We know that this is
happening because FreeS/WAN's maximum acceptable key lifetime is 28800
seconds. Checkpoint tries to make it 604800 seconds. We can't modify
Checkpoint's settings because IT guys on the Checkpoint machine don't
accept to modify its settings. We must find a solution on our side. What can
we do?
Is there a way to make Pluto accept 604800 seconds? Or how can we refresh
the
ISAKMP SA before it becomes invalid (this happens ever hour, please see the
log
below.) Now, we are runing "ipsec auto --down connection" and "ipsec
auto --up connection" every hour as soon as "no acceptable Oakley Transform"
is written to the syslog. But this way, connection becomes unavailable for a
few minutes every hour until it is re-established. What can we do to keep
the connection alive? Please help us, we are really desperate... Thank you
very much.

Kind Regards,
Abid S. Atilay

May 24 20:59:41 myserver Pluto[3952]: packet from a.b.c.d:500:
ignoring Vendor ID payload
May 24 20:59:41 myserver Pluto[3952]: "myconnection" #146: responding
to Main Mode
May 24 20:59:41 myserver Pluto[3952]: "myconnection" #146: peer
requested 604800 seconds which exceeds our limit 28800 seconds. Attribute
OAKLEY_LIFE_DURATION (variable length)
May 24 20:59:41 myserver Pluto[3952]: "myconnection" #146: only
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute
OAKLEY_GROUP_DESCRIPTION
May 24 20:59:41 myserver Pluto[3952]: "myconnection" #146: no
acceptable Oakley Transform
May 24 20:59:45 myserver Pluto[3952]: packet from a.b.c.d:500:
ignoring Vendor ID payload
May 24 20:59:45 myserver Pluto[3952]: "myconnection" #147: responding
to Main Mode
May 24 20:59:45 myserver Pluto[3952]: "myconnection" #147: peer
requested 604800 seconds which exceeds our limit 28800 seconds. Attribute
OAKLEY_LIFE_DURATION (variable length)
May 24 20:59:45 myserver Pluto[3952]: "myconnection" #147: only
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute
OAKLEY_GROUP_DESCRIPTION
May 24 20:59:45 myserver Pluto[3952]: "myconnection" #147: no
acceptable Oakley Transform

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Peter Mueller: "RE: [Users] Network <-> Network VPN Problems: Help Please"
Previous message: dapunk: "RE: [Users] Network <-> Network VPN Problems: Help Please"
Next in thread: D. Hugh Redelmeier: "Re: [Users] Checkpoint"
Reply: D. Hugh Redelmeier: "Re: [Users] Checkpoint"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:06 CEST